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Abstract 

In extension of the bit commitment task and following work initiated 
by Crepeau and Kilian, we introduce and solve the problem of character- 
ising the optimal rate at which a discrete memoryless channel can be used 
for bit commitment. It turns out that the answer is very intuitive: it is 
the maximum equivocation of the channel (after removing trivial redun- 
dancy) , even when unlimited noiseless bidirectional side communication is 
allowed. By a well-known reduction, this result provides a lower bound on 
the channel's capacity for implementing coin tossing, which we conjecture 
to be an equality. 

The method of proving this relates the problem to Wyner's wire-tap 
channel in an amusing way. We also discuss extensions to quantum chan- 
nels. 

1 Introduction 

Chess masters Alice and Bob are playing for the world chess championship and, 
after playing for several hours, realize that they will have to stop the game and 
resume it on the next morning. However, a problem arises: if Alice plays her 
turn before stopping the game, Bob will have the entire night to think of his 
next move, giving him an unfair advantage. If Alice does not play, she will have 
the entire night to thing of her move. How can they get out of this problem? 

If there is a trusted referee, Alice can write down her move and put it into 
an envelope and give it to the referee, who will announce it to Bob in the next 
morning. As the referee is trusted, Alice will be unable to change her move after 
writing it down, also Bob will be unable to learn Alice's move before the next 
morning. Can Alice and Bob solve this problem without the help of a trusted 
referee? 
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To solve these kind of problems without the use of an active trusted party, 
Blum introduced commitment schemes in 0. In a commitment scheme, Alice 
commits to an information by sending some piece of information to Bob during 
a commit phase. Later on, she can unveil the information she committed to 
by sending some opening information to Bob during an unveiling (also called 
reveal) phase. The protocol is said to be concealing if the information sent 
by Alice during the commit phase does not help Bob to learn a non-negligible 
amount of information on the value Alice is committing to. It is said to be 
binding if Alice is unable to commit to a certain information (which is usually 
a string of bits) and later on unveil a different one. 

Without any kind of computational assumptions and assuming noiseless 
communications, commitment schemes are impossible (see e.g. |15| : the gen- 
eralisation to quantum protocols is due to Mayers [201) - Therefore, research has 
mostly focused on schemes were the receiver is computationally bounded (com- 
putationally concealing schemes) or schemes were the sender is computation- 
ally bounded (computationally binding schemes). Examples of computationally 
binding but unconditionally concealing schemes are 0,0, and ^7]. Exam- 
ples of computationally concealing but unconditionally binding schemes are 
and |25| . 

It is now known that noise is a powerful resource for the implementation 
of cryptographic primitives: it allows for the construction of information theo- 
retically secure cryptographic protocols — a task typically impossible without 
the noise, and in practice done by relaxing to computational security, assuming 
conjectures from complexity theory. 

In his famous paper Wyner was the first to exploit noise in order to 
establish a secure channel in the presence of an eavesdropper. These results 
were extended in studies of secret key distillation by Maurer , Ahlswede and 
Csiszar JI] and followers. The noise in these studies is assumed to affect the 
eavesdropper: thus, to work in practice, it has to be guaranteed or certified 
somehow. This might be due to some — trusted — third party who controls 
the channel (and thus prevents the cryptographic parties from cheating), or due 
to physical limitations, as in quantum key distribution 010. Recently, Crepeau 
and Kilian 13 showed how information theoretically secure bit commitment can 
be implemented using a binary symmetric channel, their results being improved 
in Q2] and 

The object of the present study is to optimise the use of the noisy channel, 
much as in Shannon's theory of channel capacities: while the previous studies 
have concentrated on the possibility of bit commitment using noisy channels, 
here we look at committing to one out of a larger message set, e.g. a bit string. 
We are able, for a general discrete memoryless channel, to characterise the 
commitment capacity by a simple (single-letter) formula (theorem 01, stated in 
section and proved in two parts in sections and A few specific examples 
are discussed in section to illustrate the main result. In section results on 
an extension to quantum channels are related, and we close with a discussion 
(section 0. An appendix collects some facts abut typical sequences used in the 
main proof. 
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2 Definitions and main result 



In the commitment of a message there are two parties, called Alice and Bob, 
the first one given the message a from a certain set A. The whole procedure 
consists of two stages: first the commit phase, in which Alice (based on a) and 
Bob exchange messages, according to a protocol. This will leave Bob with a 
record (usually called view), to be used in the second stage, the reveal phase. 
This consists of Alice disclosing a and other relevant information to Bob. Bob 
performs a test on all his recorded data which accepts if Alice followed the 
rules and disclosed the correct information in the second stage, and rejects if a 
violation of the rules is discovered. 

To be useful, such a scheme has to fulfill two requirements: it must be 
"concealing" as well as "sound" and "binding": the first property means that 
after the commit phase Bob has no or almost no information about a (i.e., even 
though Alice has "committed" herself to something by the communications to 
Bob, this commitment remains secret), and this has to hold even if Bob does 
not follow the protocol, while Alice does. Soundness means that if both parties 
behave according to the protocol, Bob's test will accept (with high probability) 
after the reveal phase. The protocol to be binding means that Bob's test is such 
that whatever Alice did in the commit phase (with Bob following the rules) 
there is only at most one a she can "reveal" which passes Bob's test. 

In our present consideration there is an unlimited bidirectional noiseless 
channel available between Alice and Bob, and in addition a discrete memoryless 
noisy channel W : X — ► Z from Alice to Bob, which may be used n times: on 
input x n — x\ . . . x n , the output distribution on Z n is W™ n = W Xl <£> • • • <g> W Xn . 

Definition 1 The channel W is called non-redundant, if none of its output 
distributions is a convex combination of its other output distributions: 

VyVP s.t. P(y) = W y ± ]T P{x)W x . 

X 

In geometric terms this means that all distributions W x are distinct extremal 
points of the polytope W = conv{Wz : x € X}, the convex hull of the output 
distributions within the probability simplex over Z. Clearly, we can make W 
into a non-redundant channel W by removing all input symbols x whose output 
distribution W x is not extremal. The old channel can be simulated by the new 
one, because by feeding it distributions over input symbols one can generate the 
output distributions of the removed symbols. 

The channel W is called trivial, if after making it non-redundant its output 
distributions have mutually disjoint support. This means that from the output 
one can infer the input with certainty. 

With this we can pass to a formal definition of a protocol: this, consisting 
of the named two stages, involves creation on Alice's side of either messages 
intended for the noiseless channel, or inputs to the noisy channel, based on 
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previous messages receive from Bob via the noiseless channel, which themselves 
are based on data received before, etc. Both agents may employ probabilistic 
choices, which we model by Alice and Bob each using a random variable, M and 
N, respectively. This allows them to use deterministic functions in the protocol. 
Note that this makes all messages sent and received into well-defined random 
variables, dependent on a. 

Commit Phase: The protocol goes for r rounds of Alice-to-Bob and Bob-to- 
Alice noiseless communications Uj and Vj . After round (ri < . . . < r n < r) 
Alice will also send a symbol Xi down the noisy channel W , which Bob receives 
as Zi. Setting r — and r n+ \ = r: 

Round n + k (1 < k < r t+1 - r t ): Alice sends U r * +k = f ri+k (a, M, v ri+k ^ 1 ) 
noiselessly. Bob answers V ri +k = 9ri+k (Z\N,U ri+k ), also noiselessly. After 
round r, and before round + 1 (1 < i < n), Alice sends Xi — Fi{a, M, V n ), 
which Bob receives as Zi = W(Xi). 

Reveal Phase: A similar procedure as the Commit Phase, but without the noisy 
channel uses, including Alice's sending a to Bob. At the end of the exchange 
Bob performs a test as to whether to accept Alice's behaviour or not. It is 
easily seen that this procedure can be simulated by Alice simply telling Bob a 
and M, after which Bob performs his test f3(Z n ,N,U r ;a,M) e {ACC,REJ}. 
I.e., requiring Alice to reveal M and a makes cheating for her only more difficult. 

We shall, for technical reasons, impose the condition that the range of the 
variable U r is bounded: 

\U r \ < exp(Bn), (1) 

with a constant B. Note that exp and log in this paper are always to basis 2, 
unless otherwise stated. 

Now, the mathematical form of the conditions for concealing as well as for 
soundness and binding is this: we call the above protocol e-concealing if for any 
two messages a, a' £ A and any behaviour of Bob during the commit phase, 

^||Distr a (Z n NU r ) - Distr a , (Z n NU r )\\ 1 < e, (A) 

where Distr a (Z™ NU r ) is the distribution of the random variables Z n NU r after 
completion of the commit phase which Alice entered with the message a and the 
randomness M, and with the £i-norm || • ||i; the above expression is identical to 
the total variational distance of the distributions. This is certainly the strongest 
requirement one could wish for: it says that no statistical test of Bob immedi- 
ately after the commit phase can distinguish between a and a' with probability 
larger than e. Note that V r is a function of Z n NU r , and hence could be left out 
in eq. (A). Assuming any probability distribution on the messages, a is the value 
of a random variable A, and it is jointly distributed with all other variables of 
the protocol. Then, whatever Bob's strategy, 

I(A A Z n NU r ) < e' = H(2e, 1 - 2e) + 2ne(logB + log \Z\), (A') 
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where 

I(X AY) = H(X) + H(Y) - H{XY) 
is the (Shannon) mutual information between X and Y, and 

H(X) = ~^2 Pr ^ X = x } lo S Pr {^ = x ) 

X 

is the (Shannon) entropy of X |25|. 

We call the protocol 5-sound and -binding (5-binding for short), if for Alice 
and Bob following the protocol, for all a £ A, 

Pr{f3(Z n NU r ;aM) = ACC} > 1 - 5, (Bl) 

and, whatever Alice does during the commit phase, governed by a random 
variable S with values a (which determines the distribution of Z n NU r ), for all 
A = a(S,V r ), A' = a'(S,V r ), M = n{S,V r ) and M' = /J,'(S,V r ) such that 
A A' with probability 1, 

Pr{/3(Z n NU r ; AM) = ACC & (3(Z n NU r ; A'M') = ACc} < S. (B2) 

Note that by convexity the cheating attempt of Alice is w.l.o.g. deterministic, 
which is to say that S takes on only one value a with non-zero probability, hence 
Pr{S = a} = 1. 

We call — log |^4.| the (commitment) rate of the protocol. A rate R is said 
to be achievable if there exist commitment protocols for every n with rates 
converging to R, which are e-concealing and 5-binding with e, 5 — > as n — > oo. 
The commitment capacity C conl (W) of W is the supremum of all achievable 
rates. 

The main result of this paper is the following theorem: 

Theorem 2 The commitment capacity of the discrete channel W ( assumed to 
be non-redundant) is 

C com (W) = m&x{H(X\Z) : X,Z RVs, Distr(Z|X) = W), 

i.e., the maximal equivocation of the channel over all possible input distribu- 
tions. 

Corollary 3 Every non-trivial discrete memoryless channel can be used to per- 
form bit commitment. □ 

By invoking the well-known reduction of coin tossing to bit commitment we 
obtain: 

Corollary 4 The channel W can be used for secure two-party coin tossing 
at rate at least C com (W). I.e., for the naturally defined coin tossing capacity 
Co.t.fW), onehasC c . t XW)>C com (W). □ 
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This theorem will be proved in the following two sections (propositions[S]and[!5J): 
first we construct a protocol achieving the equivocation bound, showing that 
exponential decrease of e and 6 is possible, and without using the noiseless side 
channels at all during the commit phase. Then we show the optimality of the 
bound. 

To justify our allowing small errors both in the concealing and the binding 
property of a protocol, we close this section by showing that demanding too 
much trivialises the problem: 

Theorem 5 There is no bit-commitment via W which is e-concealing and 0- 
binding with e < 1. I.e., not even two distinct messages can be committed: 
\A\ = 1. 

Proof. If the protocol is 0-sound, this means that for every value \i attained by 
M with positive probability, Bob will accept the reveal phase if Alice behaved 
according to the protocol. On the other hand, that the protocol is 0-binding 
means that for a ^ a' and arbitrary //, Bob will never accept if Alice behaves 
according to the protocol in the commit phase, with values a/z but tries to 
"reveal" a'//'. This opens the possibility of a decoding method for a based on 
Z n NU r : Bob simply tries out all possible a/i with his test (3 — the single a 
which is accepted must be the one used by Alice. Hence the scheme cannot be 
e-concealing with e < 1. □ 

Remark 6 By contrast, is is easy to construct schemes both -concealing and 
5-binding with 5 < 1, for an appropriately defined channel- 
Consider the channel F with input and output alphabets X = Z = {0, 1, 2, 3} 
and signals defined by 

|i if z — x = or 1 mod 4, 
I (J otherwise. 

Alice commits to the bit b by picking c £ {0, 1} at random and sending x = b + 2c 
(for which Bob receives a random z such that z — x = or 1 mod A). To reveal, 
she tells him x ( which decodes to a unique b ) and he accepts iff z — x = or 1 
mod 4. 

Cleary, this scheme is 0-concealing because for both 6 = and 6=1 Bob sees 
the uniform distribution on Z. Equally obviously, it is 0-sound, but it is also 
^-binding: for if Alice wants to "reveal" b' ^ b (with corresponding x' ^ x), 
she has only a probability of ^ to pick x' with z — x' = or 1 mod 4. 

This simple scheme is in fact the template for the coding scheme of propo- 
sition [S] put differently, on sufficiently large scale (block length) every channel 
looks like F. 

3 A scheme meeting the equivocation bound 

Here we describe and prove security bounds of a scheme which is very simple 
compared to the generality we allowed in section ^ in the commit phase it 
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consists only of a single block use of the noisy channel W n , with no public 
discussion at all, where the input X n is a random one-to-many function of a 
(in particular, a is a function of the x n chosen). In the reveal phase Alice simply 
announces X n to Bob. 

Proposition 7 Given a, r > 0, and a distribution P of X € X , with the output 
Z = W(X), Q = Distr(Z). Then there exists a collection of codewords 

(We X n :a=l,...,K, n=l,...,L) 

with the following properties: 

1. For all (a,fi) ^ (a',//), d H (Ca M , £a>0 > 2an. 

2. For every a: 

L 



< 25|A , ||Z|exp(-nr). 



3. There are constants G, G' and a continuous function G" vanishing at 
such that 

1 



K > —(3 + log \X\ + log IZI)- 1 cxp(nH(X\Z) - nV^G 1 - nG'Ua)), 
2n 

L<n{3 + log \X\ + log \Z\) exp(n/(X A Z) + nV^G) . 

Proof. To get the idea, imagine a wiretap channel with VT" as the stochastic 
matrix of the eavesdropper and a symmetric channel S a : X — ► y = X for the 
legal user: 

1 1 — <T if x = y, 

The random coding strategy for such a channel, according to Wyner's solu- 
tion [221 (but see also ^1] and ^UJ) w iU produce a code with the properties 2 
and 3. Because the code for the legal user must fight the noise of the symmet- 
ric channel S a , we can expect its codewords to be of large mutual Hamming 
distance, i.e., we should get property 1. 

In detail: pick the £ afl i.i.d. according to the distribution P n , which is 
outside T™^- (the typical sequences, see appendix A) and P®" within, suitably 

normalised. Also introduce the subnormalised measures W™n : this is identical to 
W" n within ~—(x n ) and outside. We will show that with high probability 
we can select codewords with properties 2 and 3, and only a small proportion of 
which violate property 1; then by an expurgation argument will we obtain the 
desired code. 

By eqs. © and i|14|) in the appendix we have 



< 3|Af||2|exp(-nr), 



(2) 
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with the expectation referring to the distribution P n of the £ a/J . Observe that 
the support of all is contained in Tq 2 \x\^r^ usm £ e( l- °f ^ ne appendix. 
Now, S is defined as the set of those z n for which 

E?^(z") > T := exp(-nr)exp(-ni?(g) - nV2r\X\F), 

with F = J2z:Q(z)^q~' 1o S,Q( z )^ and define W?»(* n ) = W^{z n ) if z n e 5 and 
otherwise. With the cardinality estimate eq. (jl 1|> of the appendix and eq. J2J 
we obtain 

\ ||EW^ M -Q® n \\ < 4|^||Z|exp(-nT). (3) 

The Chernoff bound allows us now to efficiently sample the expectation Q n := 
EWj 7, : observe that all the values of are upper bounded by 

t := exp(-nH(W\P)+nV2r\X\log\Z\+nV2rE), 

using eq. (|15|l . Thus, rescaling the variables, by lemma fHfl and with the union 
bound, we get 



Pr J VaVz" £5^ (z") G [(1 ± exp( 



-nr))Q n {z n )] 



(4) 

which is smaller than 1/2 if 

L' > 2 + n(log|Af| +log|2|)exp(nI(X A Z) +nV2rG), 

with G = 3 + \X\F + \X\ log \Z\ + E. Note that in this case, there exist values 
for the £ a/i such that the averages jj W£ are close to <3® n . 

Now we have to enforce property 1 : in a random batch of £ 0/J we call a[i bad 
if £,afi has Hamming distance less than 2an from another £ a ' M ' . The probability 
that a/z is bad is easily bounded: 

Pr{afi bad} < 2\X\ cxp(-nr) + P®« (J B w 

\ a' fi'^afi 

< 2\X\ exp(-nr) + max jp®"(.A) : |„4| < K'L' ^ J |Af rlff 

< 5| A"| exp(— ht), 

by eq. 11311 in the appendix, because we choose 

K'< -(3 + loglA-l+loglZl)- 1 
n 

exp{nH(X\Z) - nV^G - 2nV2^D - nH(2a, 1 - 2a) - 2nalog|Af|), 
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hence 



K'L' 



2no~ 



\X\ 2na < exp(nii"(P) - 2nV2^D). 



Thus, with probability at least 1/2, only a fraction of 10\X\ exp(— jit) of the 
are bad. Putting this together with eq. (@J, we obtain a selection of £ aM such 
that 



< 5\X\ \Z\ exp(-nr) 



(5) 



and only a fraction of 101*1 exp(— nr) of the a/x are bad. 

This means that for at least half of the a, w.l.o.g. a = 1, . . . , K — K' /2, only a 
fraction 20|A'| exp(— nr) of the form bad pairs afi, w.l.o.g. for /j, = L+l, . . . , L' , 
with L = (l — 20\X\ exp(— nr))i'. Throwing out the remaining a and the bad 
fjL, we are left with a code as desired. □ 

Observe that a receiver of Z n can efficiently check claims about the input £ aM 
because of property 1, that distinct codewords have "large" Hamming distance. 
The non-redundancy of W shuns one-sided errors in this checking, as we shall 
see. The test (3 is straightforward: it accepts iff Z N £ 7^^-(£ aA1 ), the set of 
conditional typical sequences, see appendix A. This ensures soundness; for the 
bindingness we refer to the following proof. 

We are now in a position to describe a protocol, having chosen codewords 
according to proposition 

Commit phase: To commit to a message a, Alice picks fi £ {1, . . . , L} 
uniformly at random and sends £, afJl through the channel. Bob ob- 
tains a channel output z n . 

Reveal phase: Alice announces a and /i. Bob performs the test /?: 
he accepts if z n e B afl := 7^^-(£ ap ) and rejects otherwise. 



Proposition 8 Assume that for all x € X and distributions P with P{x) = 0, 



W x -Y,P(y)W y 



gpwgp -' then the above protocol implements an e-concealing and 6- 



Let 

binding commitment with rate 

-logK > H{X\Z) - V2tG' - H (2a,l - 2a) - 2oTog|Af| - - O ( - 

n n \n 

and exponentially bounded security parameters: 

e = 50|,Y| |Z|exp(-nT), 
8 = 2|A"||Z|exp(-2nT 2 ). 



9 



Proof. That the protocol is e-concealing is obvious from property 2 of the code 
in proposition [7| Bob's distribution of Z n is always e/2-close to Q® n , whatever 
a is. 

To show 5-bindingness observe first that if Alice is honest, sending £ aM in the 
commit phase and later revealing a^i, the test (3 will accept with high probability: 

> 1 - 2\X\\Z\ exp(-nr) > 1 - S, 

by eq. i|14fl in the appendix. 

On the other hand, if Alice cheats, we may — in accordance with our defini- 
tion — assume her using a deterministic strategy: i.e., she "commits" sending 
some x n and later attempts to "reveal" either a/i or a' fi' , with a ^ a! . Because 
of property 1 of the code in proposition at least one of the codewords £ /i, 
^a'fj, 1 is at Hamming distance at least an from x n : w.l.o.g., the former of the 
two. But then the test (3 accepts "revelation" of au with small probability: 

Pr{Z n e B a ,} = W^{r^^ a ,)) < 2exp(~2nr 2 ) < S, 
by lemma ITU in the appendix. □ 



4 Upper bounding the achievable rate 

We assume that W is non-redundant. We shall prove the following assertion, 
assuming a uniformly distributed variable A S A of messages. 

Proposition 9 Consider an e-concealing and d-binding commitment protocol 
with n uses of W . Then 

log \A\ <nm&x{H(X\Z) : Distr(Z|X) = W} 

+ n(e(logB + log|Z|) + 5^1og|A'|) +2. 

The key, as it turns out, of its proof, is the insight that in the above protocol, 
should it be concealing and binding, x n together with Bob's view of the commit 
phase (essentially) determine a. In the more general formulation we permitted 
in section |2 we prove : 

H{A\Z n NU r -X n ) < 5' = H (?>\f8,l -h\ft\ +5^1og|^|. (B') 

Intuitively, this means that with the items Alice entered into the commit phase 
of the protocol and those which are accessible to Bob, not too many values of 
A should be consistent — otherwise Alice had a way to cheat. 
Proof of eq. \B)i . For each afi the commit protocol (both players being honest) 
creates a distribution A QA , over conversations (x n v r ; z n u r ). We leave out Bob's 
random variable N here, noting that he can create its correct conditional dis- 
tribution from z n u r ;v r , which is his view of the conversation. The only other 
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place where he needs it is to perform the test j3. We shall in the following 
assume that it includes this creation of N, which makes into a probabilistic 
test, depending on (afiv r ; z n u r ). 

The pair a[i has a probability a a ^ that its conversation with subsequent 
revelation of afi is accepted. By soundness, we have 

Pr{M = fj,}a aii > 1 - 8, 

A" 

for every a. Hence, by Markov inequality, there exists (for every a) a set of /x of 
total probability > 1 — for which a a ^ > 1 — \fS. We call such /i good for a. 

From this we get a set C ail of "partial" conversations (x n v r ;u r ), with proba- 
bility A a/i (C a/J ) > 1 — ^/5, which are accepted with probability at least 1 — \/8~. 
(In the test also Z n enters, which is distributed according to W£ n .) 

Let us now define the set 

fi good for a 

which is a set of "partial conversations" which are accepted with probability at 
least 1 — \f8 and 

Aa(C a ) > 1-2V^, 

with the distribution 

fi 

over "partial conversations" : it is the distribution created by the commit phase 
give the message a. 
We claim that 

A a j X n V r ; U r e |J C a , J < 3^6. (7) 

Indeed, if this were not the case, Alice had the following cheating strategy: in 
the commit phase she follows the protocol for input message a. In the reveal 
phase she looks at the "partial conversation" x n v r ;u r and tries to "reveal" 
some a'// for which the partial conversation is in C a i^ (if these do not exist, 
a! p! is arbitrary). This defines random variables A! and M' for which it is easily 
checked that 

Pr{/3(Z n NU r ;aM) = ACC & (3{Z n NU r ; A'M') = ACC} > 5, 

contradicting the 5-bindingness condition. 

Using eq. J7J) we can build a decoder for A from X n V r ; U r : choose A = a 
such that X n V r ; U r £ C a — if there exists none or more than one, let A be 
arbitrary. Clearly, 

Pt{A^A}<5^S, 
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and invoking Fano's inequality we are done. □ 

Armed with this, we can now proceed to the 
Proof of proposition^ We can successively estimate, 

H(X n \Z n ) > H(X"\Z n NU r ) 

= H(AX n \Z n NU r ) - H(A\Z n NU r ; X n ) 

> H{A\Z n NU r ) - H(A\Z n NU r ;X n ) 

> H(A\Z n NU r ) - 6' 

= H(A) - I(A A Z n NU r ) - 6' 

> H{A) - e' - 6', 

using eq. (B') in the fourth, eq. (A') in the sixth line. On the other hand, 
subadditivity and the conditioning inequality imply 

n 

H{X n \Z n )<Y,H{X k \Z k ), 
fc=i 

yielding the claim, because H(A) — log \ A\. 

The application to the proof of the converse of theorem [21 is by observing 
that e', 8' = o(n). □ 

Note that for the proof of the proposition we considered only a very weak 
attempt of Alice to cheat: she behaves according to the protocol during the 
commit phase, and only at the reveal stage she tries to be inconsistent. Similarly, 
our concealingness condition considered only passive attempts to cheat by Bob, 
i.e., he follows exactly the protocol, and tries to extract information about A 
only by looking at his view of the exchange. 

Thus, even in the model of passive cheating, which is less restrictive than 
our definition in section [21 we obtain the upper bound of proposition [5] 



5 Examples 

In this section we discuss some particular channels, which we present as stochas- 
tic matrices with the rows containing the output distributions. 

1. Binary symmetric channel B p : Let <p < 1. Define 








1 





1-p 


p 


1 


p 


1-p 



The transmission capacity if this channel is easily computed from Shannon's 
formula [21]: C(B p ) = 1 — H(p,l — p), which is non-zero iff p ^ 1/2. The 
optimal input distribution is the uniform distribution (1/2, 1/2) on {0, 1}. Note 
that this channel is trivial if p € {0,1/2,1}, hence C com (B p ) — for these 
values of p. We may thus, w.l.o.g., assume that < p < 1/2, for which B p is 
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non-redundant. It is not hard to compute the optimal input distribution as the 
uniform distribution, establishing C com (B p ) = H(p, 1 — p). 

The result is in accordance with our intuition: the noisier the channel is, the 
worse it is for transmission, but the better for commitment. 

2. A trivial channel: Consider the channel 



T := 








1 


a 


1/2 


1/2 


b 


1 





c 





1 



Clearly, T is trivial, hence C com (T) = 0. Still it is an interesting example in 
the light of our proof of proposition [SJ for assume a wiretap channel for which 
T is the stochastic matrix of the eavesdropper, while the legal user obtains a 
noiseless copy of the input. Then clearly the wiretap capacity of this system is 
1, with optimal input distribution (1/2, 1/4, 1/4). 

3. Transmission and commitment need not be opposites: We show here 
an example of a channel where the optimising input distributions for transmis- 
sion and for commitment are very different: 



V := 








1 





1/2 


1/2 


1 


1 






It can be easily checked that the maximum of the mutual information, i.e. the 
transmission capacity, is attained for the input distribution 



P(0) 



0.4, P(l) 



0.6, 



from which we obtain C(V) ~ 0.3219. On the other hand, the equivocation is 
maximised for the input distribution 



P'(0) = 1 



0.5528, P'(l) 



0.4472, 



from which we get that C com (V) ~ 0.6942. The maximising distributions are so 
different that the sum C(V) + C com (V) > 1, i.e. it exceeds the maximum input 
and output entropies of the channel. 



6 Quantum channels 

The construction of section|3|can be carried over to a class of quantum channels, 
namely so-called cq-channels (classical-quantum channels): 

W : X — ► S(H), 

a map from an input alphabet (here assumed to be finite) into the set of states 
on a Hilbert space H, also assumed to be finite-dimensional in the present 
discussion. (For an overview of quantum information theory see [0] and the 
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textbook H21-) Non-redundancy means the same here, only that the convex 
structure is now the convex compact set of states, instead of the probability 
simplex. We assume this property of W silently in the following. 

Theorem 10 For a distribution P on the input alphabet, one can achieve the 
commitment rate 

H(P)- x {{P(x);W x }), (8) 
with the Holevo mutual information fiflf 

X ({P(x);W x }) 



\ X / X 



where S(p) = — Trplogp is the von Neumann entropy of a state. 

The maximum of the expression is optimal in the case of no noiseless 
side communication during the commit phase. 

Proof (Sketch). For the achievability one proves a coding result similar to 
proposition with the || ■ j|i norm denoting trace norm. The most crucial 
point is property 2: our proof used two things: restricting the distributions 
W" n to typical sequences — this can be done also for states by constructing 
typical subspaces — and Chernoff bound to obtain a "small sample" . We use 
an analogue of this for operators from [2], stated below as lemma ITT1 This 
technique is actually used in the work of Cai and Yeung JOj to construct codes 
for the quantum wiretap channel 

For the optimality, it is not hard to prove the quantum analogues of eqs. (A') 
and (B'), and then the upper bound follows exactly as in our proof of proposi- 
tion M □ 

Lemma 11 (Ahlswede, Winter [2j) Let Xi, . . . , Xl be i.i.d. random vari- 
ables taking values in the operators B{TL) on the D -dimensional Hilbert space 
H, < X t < 1, with A = EX; > al, and let r]>0. Then 

Pr<±> X, i 1(1 -//).!: 1 1 \ ' 2I)cxi,| -L-™ 1 ' 



i^X^Kl-ry^Cl+^A]! <2£exp 
i=i J 



2\n2 / 

where [A; B] = {X : A < X < B} is an interval in the operator order. □ 

Example 12 Assume any set of distinct pure qubit states W x — \ip x )(ipx\- 
Then, with p = ^2 X P(x)W x , the rate 

max{ff(P) - S(p)} 

is achievable. Because of S(p) < 1 this is positive if the input alphabet has at 
least three symbols; in the case of two input symbols it is positive iff the two 
states are non-orthogonal. 

This is no contradiction to Mayer's no-go theorem for quantum bit commit- 
ment even though the channel might appear to be noiseless: it is, however, not a 
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noiseless qubit channel, because the states are restricted to a set of pure states. 
Modelled as a completely positive map, it would be a measurement prepare 
channel of the form 

W : B(<DX) — > B{H) 

<r\ — > ^2 (x\a\x)W x . 

X 

I.e., its use involves a "guaranteed (von Neumann) measurement" on all mes- 
sages which come from Alice. 

Regarding theorem ^| we conjecture the achievable rate stated there to 
remain optimal even if unlimited noiseless quantum communication is allowed. 
There is however the much more interesting question of more general quantum 
channels, for example a depolarising qubit channel, the quantum analogue of a 
binary symmetric channel: does it allow bit commitment, and if so, at which 
rate? 

This generalisation may be significant because first of all, information theo- 
retically secure bit commitment is not possible with noiseless quantum commu- 
nication [20]. Here we have shown that it is possible under the assumption of 
a noisy channel. This opens the possibility of perhaps having bit commitment 
under realistic conditions where one can ensure that all available channels arc 
noisy. 

7 Discussion 

We have considered bit-string commitment by using a noisy channel and have 
characterised the exact capacity for this task by a single-letter formula. This 
implies a lower bound on the coin tossing capacity of that channel by the same 
formula, which in fact we conjecture to be an equality. 

Satisfactory as this result is, it has to be noted that we are not able in 
general to provide an explicit protocol: our proof is based on the random coding 
technique and shows only existence. What is more, even if one finds a good 
code it will most likely be inefficient: the codebook is just the list of £ afl . In 
this connection we conjecture that the commitment capacity can be achieved 
by random linear codes (compare the situation for channel coding!). It is in any 
case an open problem to find efficient good codes, even for the binary symmetric 
channel. Note that we only demand efficient encoding — there is no decoding 
of errors in our scheme, only an easily performed test. 

Our scheme is a block-coding method: Alice has to know the whole of her 
message, say a bit string, before she can encode. One might want to use our 
result as a building block in other protocols which involve committing to bits at 
various stages — then the natural question arises whether there is an "online" 
version which would allow Alice to encode and send bits as she goes along. 

In the same direction of better applicability it would be desirable to extend 
our results to a more robust notion of channel: compare the work of |15| where 
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a cheater is granted partial control over the channel characteristics. Still, the 
fixed channel is not beyond application: note that it can be simulated by pre- 
distributed data from a trusted party via a "noisy one-time pad" (compare [3] 
and PU). 

Another open question of interest is to determine the reliability function, 
i.e., the optimal asymptotic rate of the error e + S (note that implicit in our 
proposition [S] is a lower bound): it is especially interesting at R = 0, because 
there the rate tells exactly how secure single-bit commitment can be made. 

Finally, we have outlined that a class of quantum channels also allows bit 
commitment: they even have a commitment capacity of the same form as the 
classical result. This opens up the possibility of unconditionally secure bit 
commitment for other noisy quantum channels. 

We hope that our work will stimulate the search for optimal rates of other 
cryptographic primitives, some of which are possible based on noise, e.g. obliv- 
ious transfer. 
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A Typical sequences 

This appendix collects some facts about typical sequences used in the main body 
of the text. We follow largely the book of Csiszar and Korner |14| . 




The fundamental fact we shall use is the following large deviation version of 
the law of large numbers: 

Lemma 13 (Chernoff For i.i.d. random variables X\, . . . , Xm, with < 

X n < 1 and with expectation EA„ = p: 




P M AT 51 X " <(1-V)P>< exp 



Pr { n E X « ^ + *)P ( ^ ex P 




( 



( 



N 



N 



2 

pi] 

21n2 



prf 
21n2 



) 



) 



□ 



1G 



For a probability distribution P on X and e > define the set of e-typical 
sequences: 

T£ e = {a;" : Va; |iV(a;|3; n ) - P{x)n\ < en & P(x) = N{x\x n ) = 0} , 

with the number N(x\x n ) denoting the number of letters x in the word x n . The 
probability distribution P x n(x) = ^N(x\x n ) is called the type of a;™. Note that 
x n € Tp e is equivalent to \P x ^(x) — P{x)\ < e for all x. 

These are the properties of typical sequences we shall need: 

p ®n ( T ™ £ ) > 1 - 2| X\ exp(-ne 2 /2) . (9) 

This is an easy consequence of the Chernoff bound, lemma IT31 applied to the 
indicator variables Xk of the letter x in position k in X n , with r\ — eP(x)~ 1 . 

Vx „ T „ l>® n (* n ) < exp(-ntf (P) + neD), 

P ' e \p® n (x n )>exp(-nH(P)-neD), [ ' 

with the constant D = J2 x -p(x)^o ~ logP(x). See |T3|. 

|7£ e | < exp(nP"(P) + ne£>), (11) 

|T^ £ | > (l- 2|A'|exp(-ne 2 /2)) exp(niJ(P) - neD). (12) 

This follows from eq. HlOfl . These estimates also allow to lower bound the size 
of sets with large probability: assume P® n (C) > n, then 

\C\ > (n - 2\X\ exp(-ne 2 / 2 )) exp(niJ(P) - neD). (13) 

We also use these notions in the "non-stationary" case: consider a channel 
W : X — > Z, and an input string x n £ X n . Then define, with e > 0, the set of 
conditional e-typical sequences: 



- e (x n ) = jz n : \fx,z \N(xz\x n z n )-nW(z\x)P x n(x)\ < en 

& W{z\x) = =S> AT(a^|a; n z n ) = o} 



a: 

with the sets of positions in the word x™ where x^ = x. The latter product 
representation allows to easily transport all of the above relations for typical 
sequences to conditional typical sequences: 

(T% e (x n )) > 1 - 2\X\\Z\exp(-ne 2 /2). (14) 

Vx , £ T n , n) [W^ n ) < eM~nH(W\P x n) + neE), 

W,e\ ) W»„(a;™) > exp(-ni?(VF|F^) -ne^), V ' 
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with E = max! Ylz-.W x (z)^o ~ l°&W x (z) and the conditional entropy H(W\P) = 

\T^ e (x n )\ < exv(nH(W\P x n) + neE), (16) 
\?w,e(x n )\ > (l - 2|A'||Z|cxp(-ne 2 /2)) exp(nH(W\P x n) - neE). (17) 
A last elementary property: for x n of type P and output distribution Q, with 

^,e(^)cT^ eW . (18) 

As an application, let us prove the following lemma: 

Lemma 14 For words x n and y n with du{x n , y n ) > cm, and a channel W such 
that 



Vie X,P p.d. with P{x) = 

2 

one has, with e 



>v, 



2\X\*\Z\> 

W£ n (T^ e (x n )) <2exp(-ne 4 /2) 

Proof. There exists an x such that the word x Iw (composed of letters x only) has 
distance at least ppycm from y Tx . In particular, N x := N(x\x n ) — \I X \ > ppycn. 
This implies also, by assumption on the channel, 



-wr- 



Hence there must be a z £ Z with 

^ E Wy k (z)-W X (z) 



hex* 



> 



1 



A" Z 



■an. 



By definition, this in turn implies that for all z n £ TJy e (x n ), 

1 



> 



2\X\\Z 



■crnN x 



Introducing the sets J xy = {k £ X x : y^ — y}, with cardinalities N xy — \I yx \, 
there is a y such that (still for all z n £ T^ e (x n )), 



\N(z\z J *v) -N xy W y (z)\ 



> 



1 



> 



2\X\ 2 \Z 
1 

2\X\ 2 \Z 



■ar)N x 



■ar]N xy . 



This implies 



N xy > 



and with lemma ITTA we obtain the claim. 



□ 
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